[squid-users] Best practice for adding or removing ACLs dynamically ?

Amos Jeffries squid3 at treenet.co.nz
Sun Nov 1 08:17:58 UTC 2020

On 1/11/20 12:27 pm, roee klinger wrote:
> Thanks Amos!
> I updated "auth_param basic credentialsttl" according to your advice and 
> it is working great.
> I am still having issues with the "tcp_outgoing_address 
> acl_for_user3002" part, you mentioned:
>  > For ACLs with values that are expected to change often it is best to use
>  > an external_acl_type helper that manages the updates or fetches from
>  > somewhere the updates are handled without a reload.
> My script updates the authenticator successfully, but when I update "acl 
> acl_for_user3002 proxy_auth user2" to the new username I have to 
> reconfigure to take effect.
> I read online for hours but to my best understanding external_acl_type 
> are for auth and access control, but they don't work for my needs I believe.
> Is there any way to use external_acl_type in a way I don't understand to 
> solve this problem? Do I have to reconfigure every time I make changes 
> to an ACL in squid.conf?

Some directives have to produce allow/deny result immediately, without 
waiting for a helper to respond. The details are documented here:

In modern Squid you can use a helper to set annotations which are 
checked with the "note" ACL type in the fast checks.

It sounds a bit like you are trying to tie IPs to individual users. 
Please be aware that breaks the multiplexing and persistence features of 
HTTP, which is a major performance loss.


More information about the squid-users mailing list